mirror of
https://github.com/kyverno/kyverno.git
synced 2025-03-09 17:37:12 +00:00
5a0ce6bb67
* chore: bump chainsaw Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more template use Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * v0.2.10 Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * go mod Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
44 lines
1.3 KiB
YAML
44 lines
1.3 KiB
YAML
apiVersion: kyverno.io/v1
|
|
kind: ClusterPolicy
|
|
metadata:
|
|
name: allowed-annotations
|
|
status:
|
|
autogen:
|
|
rules:
|
|
- match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- DaemonSet
|
|
- Deployment
|
|
- Job
|
|
- ReplicaSet
|
|
- ReplicationController
|
|
- StatefulSet
|
|
name: autogen-allowed-fluxcd-annotations
|
|
validate:
|
|
deny:
|
|
conditions:
|
|
all:
|
|
- key: '{{ request.object.spec.template.metadata.annotations.keys(@)[?contains(@, ''fluxcd.io/'')] }}'
|
|
operator: AnyNotIn
|
|
value:
|
|
- fluxcd.io/cow
|
|
- fluxcd.io/dog
|
|
message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`.
|
|
- match:
|
|
any:
|
|
- resources:
|
|
kinds:
|
|
- CronJob
|
|
name: autogen-cronjob-allowed-fluxcd-annotations
|
|
validate:
|
|
deny:
|
|
conditions:
|
|
all:
|
|
- key: '{{ request.object.spec.jobTemplate.spec.template.metadata.annotations.keys(@)[?contains(@, ''fluxcd.io/'')] }}'
|
|
operator: AnyNotIn
|
|
value:
|
|
- fluxcd.io/cow
|
|
- fluxcd.io/dog
|
|
message: The only approved FluxCD annotations are `fluxcd.io/cow` and `fluxcd.io/dog`.
|